Skip to content
Snippets Groups Projects
Commit 3af3a13b authored by Sandeep Patil's avatar Sandeep Patil
Browse files

sepolicy: Fix renderscript driver lookup 


Renderscript drivers are loaded from /vendor/lib64 by following the
/system/vendor symlink. This change fixes a couple of things.
- Allows all domains access to follow the symlink
- Restores app domain permissions for /vendor for non-treble devices
- Allow app domains to peek into /vendor/lib64, but NOT grant 'execute'
  permissions for everything. Since RS drivers can be loaded into any
  process, their vendor implementation and dependencies have been
  marked as 'same process HALs' already.

Bug: 37169158
Test: Tested on sailfish (Treble) & Angler (non-treble)
      ./cts-tradefed run cts -m CtsRenderscriptTestCases \
      --skip-device-info --skip-preconditions --skip-connectivity-check \
      --abi arm64-v8a
      Result: Tests Passed: 743 Tests Failed: 0

Change-Id: I36f5523381428629126fc196f615063fc7a50b8e
Signed-off-by: default avatarSandeep Patil <sspatil@google.com>
parent d0e9cb05
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
private/app.te
+ 10
0
View file @ 3af3a13b
...@@ -93,6 +93,16 @@ allow { appdomain -ephemeral_app -untrusted_v2_app } toolbox_exec:file rx_file_p ...@@ -93,6 +93,16 @@ allow { appdomain -ephemeral_app -untrusted_v2_app } toolbox_exec:file rx_file_p
# Renderscript needs the ability to read directories on /system # Renderscript needs the ability to read directories on /system
allow appdomain system_file:dir r_dir_perms; allow appdomain system_file:dir r_dir_perms;
allow appdomain system_file:lnk_file { getattr open read }; allow appdomain system_file:lnk_file { getattr open read };
# Renderscript specific permissions to open /system/vendor/lib64.
not_full_treble(`
allow appdomain vendor_file_type:dir r_dir_perms;
allow appdomain vendor_file_type:lnk_file { getattr open read };
')
full_treble_only(`
# For looking up Renderscript vendor drivers
allow { appdomain -isolated_app } vendor_file:dir { open read };
')
# Allow apps access to /vendor/app except for privileged # Allow apps access to /vendor/app except for privileged
# apps which cannot be in /vendor. # apps which cannot be in /vendor.
......
public/domain.te
+ 6
2
View file @ 3af3a13b
...@@ -129,8 +129,12 @@ allow domain vendor_configs_file:dir r_dir_perms; ...@@ -129,8 +129,12 @@ allow domain vendor_configs_file:dir r_dir_perms;
allow domain vendor_configs_file:file { read open getattr }; allow domain vendor_configs_file:file { read open getattr };
full_treble_only(` full_treble_only(`
# This is required "most likely" for LD_LIBRARY_PATH # Allow all domains to be able to follow /system/vendor symlink
# (b/36681074) allow domain vendor_file:lnk_file { getattr open read };
# This is required to be able to search & read /vendor/lib64
# in order to lookup vendor libraries. The 'execute' permission
# for coredomains is granted *only* for same process HALs
allow domain vendor_file:dir { getattr search }; allow domain vendor_file:dir { getattr search };
# Allow reading and executing out of /vendor to all vendor domains # Allow reading and executing out of /vendor to all vendor domains
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment